Malware Analysis Report

2025-01-18 18:49

Sample ID 220124-btk2kaheg3
Target a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb
SHA256 a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb
Tags
29 1386 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb

Threat Level: Known bad

The file a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb was found to be: Known bad.

Malicious Activity Summary

29 1386 sodinokibi ransomware

Sodinokibi family

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:26

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:26

Reported

2022-01-24 06:59

Platform

win7-en-20211208

Max time kernel

141s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => \??\c:\users\admin\pictures\MeasureDebug.tiff.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeSet.raw => \??\c:\users\admin\pictures\InitializeSet.raw.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\SkipPing.tiff => \??\c:\users\admin\pictures\SkipPing.tiff.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\StartUndo.tiff => \??\c:\users\admin\pictures\StartUndo.tiff.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\users\admin\pictures\StartUndo.tiff C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\GrantAssert.crw => \??\c:\users\admin\pictures\GrantAssert.crw.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\GroupOut.png => \??\c:\users\admin\pictures\GroupOut.png.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\UndoRepair.raw => \??\c:\users\admin\pictures\UndoRepair.raw.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\users\admin\pictures\MeasureDebug.tiff C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\users\admin\pictures\SkipPing.tiff C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\SetRegister.raw => \??\c:\users\admin\pictures\SetRegister.raw.da0sa18f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93r76z101l080.bmp" C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\BackupEnable.snd C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ExpandWrite.xltx C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\HideBackup.aif C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\InitializeUpdate.tmp C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files\da0sa18f-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ExpandPop.dotm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\FormatApprove.html C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ImportBlock.vdx C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ResetCheckpoint.wmx C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\SetPublish.cr2 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DenyAssert.ttc C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\TestInstall.WTV C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\da0sa18f-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\da0sa18f-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\da0sa18f-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files (x86)\da0sa18f-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DismountInvoke.otf C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\OpenStep.3gp C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RegisterImport.mht C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RemoveProtect.vssm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\SwitchGrant.xlsb C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7\Blob = 0300000001000000140000004deea7060d80babf1643b4e0f0104c82995075b7140000000100000014000000a3c85e6554e53078c105ea070a6a59ccb9fede5a04000000010000001000000042672e72f86c9ba154608d36bccd3c610f0000000100000020000000a2ffac7663c45d94e0bb448815febe55f1ed76a0bdab23cba1080a7e810b2f97190000000100000010000000a11334ea9745e3adfe3d13cffef49c541800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee20000000010000008d0400003082048930820371a0030201020210025a8aef196f7e0d6c2104b21ae6702b300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323335325a170d3237313130363132323335325a305c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311b30190603550403131254686177746520525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100ca085ee5538a971c1e432fb68aa756e98b8443a8ac9d7a55827a144b86b72f8f529f1ccab1205b6fba22dda69c2d78dae906084ebe13a6ebcbbb3eb9050c3e4ae1f0321f134ef506c54773893e80a38bf101249ba39966926b68ad0d2db4cd72a2f4f9385a65a6b48c53c1081a84f8fd2ef311756edc6a3129ac0d87cc936078df25ba265991c6835235a6ca9cb8281aced71cee14bf765c65ab381e79e97ccc492326a2525066d05961ffa0fe9a4c0c9ff9e88ede098bb815c1a4084c269c7b06dbfd8a745b587ecd63a4912f45f07a3c940b8a7cb205a967939f68e5956360d858955fe055ef93a7113b7ce692d86644e0abbda78fcda48578412454e7d8030203010001a38201403082013c301d0603551d0e04160414a3c85e6554e53078c105ea070a6a59ccb9fede5a301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d200436303430320604551d2000302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300d06092a864886f70d01010b05000382010100444d85e5dd1c828ce164d5a89022df761865ea65d23b25374a83da9987167cb1f50b33300fc6b5fa916fc072107ef9705c51fc32b8c1dc2fa35686cd6d5591ae0a92dc9b1ad25b511ff15fb3a65380fe162589b548da546e047b2d6503d85f8f4ef28133f81ff5e4b2a8fe0e889b2561a6b7f0d535695031648d79a3ee315f845932a2972080531b657ea0f063435a0f9871800bfc96b7679386f6fcfeb7bb3a94a951d2727c67fded778ce0f889025ebee07417863c0ded93d92ab42ff40cb7dcc82660b55003ec7d1ce3595f1f6fbf2f2997d6eef8d55858a1b1cc6c412b4081a3399550279740f24a3d3665798b8d335f295353fc5e1d420e0b8cf991287b C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe

"C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 silverbird.dk udp
US 8.8.8.8:53 betterce.com udp
US 34.200.75.129:443 betterce.com tcp
US 8.8.8.8:53 vapiano.fr udp
US 162.159.135.42:443 vapiano.fr tcp
US 162.159.135.42:443 vapiano.fr tcp
US 8.8.8.8:53 penumbuhrambutkeiskei.com udp
US 8.8.8.8:53 alcye.com udp
US 8.8.8.8:53 wasnederland.nl udp
US 8.8.8.8:53 sealgrinderpt.com udp
US 172.67.139.123:443 sealgrinderpt.com tcp
US 8.8.8.8:53 janmorgenstern.com udp
DE 217.160.0.205:443 janmorgenstern.com tcp
DE 217.160.0.205:443 janmorgenstern.com tcp
US 8.8.8.8:53 alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 line-x.co.uk udp
US 104.21.28.99:443 line-x.co.uk tcp
US 8.8.8.8:53 littlesaints.academy udp
US 151.101.66.159:443 littlesaints.academy tcp
US 151.101.66.159:443 littlesaints.academy tcp
US 8.8.8.8:53 motocrosshideout.com udp
US 198.46.90.29:443 motocrosshideout.com tcp
US 198.46.90.29:443 motocrosshideout.com tcp
US 8.8.8.8:53 flossmoordental.com udp
US 173.255.198.240:443 flossmoordental.com tcp
US 8.8.8.8:53 stralsund-ansichten.de udp
DE 91.210.225.22:443 stralsund-ansichten.de tcp
DE 91.210.225.22:443 stralsund-ansichten.de tcp
US 8.8.8.8:53 efficiencyconsulting.es udp
ES 91.146.100.126:443 efficiencyconsulting.es tcp
ES 91.146.100.126:443 efficiencyconsulting.es tcp
US 8.8.8.8:53 welovecustomers.fr udp
FR 51.15.236.35:443 welovecustomers.fr tcp
US 8.8.8.8:53 www.welovecustomers.fr udp
NL 65.9.82.56:443 www.welovecustomers.fr tcp
NL 65.9.82.56:443 www.welovecustomers.fr tcp
US 8.8.8.8:53 buerocenter-butzbach-werbemittel.de udp
US 8.8.8.8:53 clinic-beethovenstrasse-ag.ch udp
DE 157.90.88.146:443 clinic-beethovenstrasse-ag.ch tcp
DE 157.90.88.146:443 clinic-beethovenstrasse-ag.ch tcp
US 8.8.8.8:53 90nguyentuan.com udp
US 8.8.8.8:53 martinipstudios.com udp
NL 37.48.118.150:443 martinipstudios.com tcp
NL 37.48.118.150:443 martinipstudios.com tcp
US 8.8.8.8:53 bonitabeachassociation.com udp
US 8.8.8.8:53 luvinsburger.fr udp
FR 188.165.53.185:443 luvinsburger.fr tcp
FR 188.165.53.185:443 luvinsburger.fr tcp
US 8.8.8.8:53 jollity.hu udp
HU 185.33.54.20:443 jollity.hu tcp
HU 185.33.54.20:443 jollity.hu tcp
US 8.8.8.8:53 hvitfeldt.dk udp
DK 195.242.130.99:443 hvitfeldt.dk tcp
DK 195.242.130.99:443 hvitfeldt.dk tcp
US 8.8.8.8:53 jacquesgarcianoto.com udp
US 8.8.8.8:53 husetsanitas.dk udp
DK 77.111.240.107:443 husetsanitas.dk tcp
DK 77.111.240.107:443 husetsanitas.dk tcp
US 8.8.8.8:53 drnelsonpediatrics.com udp
US 50.116.53.94:443 drnelsonpediatrics.com tcp
US 8.8.8.8:53 cmeow.com udp
CA 165.227.40.200:443 cmeow.com tcp
CA 165.227.40.200:443 cmeow.com tcp
US 8.8.8.8:53 speiserei-hannover.de udp
DE 62.113.229.82:443 speiserei-hannover.de tcp
DE 62.113.229.82:443 speiserei-hannover.de tcp
US 8.8.8.8:53 nevadaruralhousingstudies.org udp
US 70.32.84.9:443 nevadaruralhousingstudies.org tcp
US 8.8.8.8:53 angelsmirrorus.com udp
US 35.206.92.98:443 angelsmirrorus.com tcp
US 35.206.92.98:443 angelsmirrorus.com tcp
US 8.8.8.8:53 ketomealprep.academy udp
US 216.239.32.21:443 ketomealprep.academy tcp
US 8.8.8.8:53 plbinsurance.com udp
US 54.210.110.253:443 plbinsurance.com tcp
US 54.210.110.253:443 plbinsurance.com tcp
US 8.8.8.8:53 cssp-mediation.org udp
FR 92.204.55.176:443 cssp-mediation.org tcp
FR 92.204.55.176:443 cssp-mediation.org tcp
US 8.8.8.8:53 oro.ae udp
DE 195.201.29.161:443 oro.ae tcp
DE 195.201.29.161:443 oro.ae tcp
US 8.8.8.8:53 billyoart.com udp
US 104.18.127.49:443 billyoart.com tcp
US 8.8.8.8:53 www.billyoart.com udp
US 162.159.130.90:443 www.billyoart.com tcp
US 8.8.8.8:53 mayprogulka.ru udp
RU 89.22.186.205:443 mayprogulka.ru tcp
US 8.8.8.8:53 dcc-eu.com udp
NL 149.210.195.87:443 dcc-eu.com tcp
NL 149.210.195.87:443 dcc-eu.com tcp
US 8.8.8.8:53 smartmind.net udp
ES 82.98.154.79:443 smartmind.net tcp
US 8.8.8.8:53 ebible.co udp
US 162.241.216.227:443 ebible.co tcp
US 162.241.216.227:443 ebible.co tcp
US 8.8.8.8:53 the-beauty-guides.com udp
US 8.8.8.8:53 crestgood.com udp
US 162.243.98.140:443 crestgood.com tcp
US 8.8.8.8:53 itheroes.dk udp
NL 178.62.235.8:443 itheroes.dk tcp
US 8.8.8.8:53 dreamvoiceclub.org udp
US 162.144.26.115:443 dreamvoiceclub.org tcp
US 162.144.26.115:443 dreamvoiceclub.org tcp
US 8.8.8.8:53 airserviceunlimited.com udp
DE 78.46.155.135:443 airserviceunlimited.com tcp
US 8.8.8.8:53 masecologicos.com udp
US 8.8.8.8:53 dmlcpa.com udp
US 165.227.27.108:443 dmlcpa.com tcp
US 165.227.27.108:443 dmlcpa.com tcp
US 8.8.8.8:53 chatterchatterchatter.com udp
US 8.8.8.8:53 auberives-sur-vareze.fr udp
FR 164.132.235.17:443 auberives-sur-vareze.fr tcp
US 8.8.8.8:53 brisbaneosteopathic.com.au udp
US 162.159.135.42:443 brisbaneosteopathic.com.au tcp
US 162.159.135.42:443 brisbaneosteopathic.com.au tcp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 saberconcrete.com udp
US 50.62.194.59:443 saberconcrete.com tcp
US 50.62.194.59:443 saberconcrete.com tcp
US 8.8.8.8:53 therapybusinessacademy.com udp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
US 8.8.8.8:53 wallflowersandrakes.com udp
US 142.252.186.22:443 wallflowersandrakes.com tcp
US 8.8.8.8:53 craftstone.co.nz udp
NZ 103.96.117.53:443 craftstone.co.nz tcp
NZ 103.96.117.53:443 craftstone.co.nz tcp
US 8.8.8.8:53 pinkxgayvideoawards.com udp
CA 192.99.7.155:443 pinkxgayvideoawards.com tcp
CA 192.99.7.155:443 pinkxgayvideoawards.com tcp
US 8.8.8.8:53 onlinemarketingsurgery.co.uk udp
US 104.21.52.187:443 onlinemarketingsurgery.co.uk tcp
US 8.8.8.8:53 walterman.es udp
FR 92.204.222.229:443 walterman.es tcp
FR 92.204.222.229:443 walterman.es tcp
US 8.8.8.8:53 sytzedevries.com udp
NL 141.138.169.208:443 sytzedevries.com tcp
NL 141.138.169.208:443 sytzedevries.com tcp
US 8.8.8.8:53 dnqa.co.uk udp
US 8.8.8.8:53 endstarvation.com udp
US 104.21.19.81:443 endstarvation.com tcp
US 104.21.19.81:443 endstarvation.com tcp
US 8.8.8.8:53 eurethicsport.eu udp
GB 185.2.4.41:443 eurethicsport.eu tcp
GB 185.2.4.41:443 eurethicsport.eu tcp
US 8.8.8.8:53 dr-vita.de udp
DE 46.253.242.205:443 dr-vita.de tcp
DE 46.253.242.205:443 dr-vita.de tcp
US 8.8.8.8:53 oexebusiness.com udp
PL 82.214.136.24:443 oexebusiness.com tcp
US 8.8.8.8:53 cacerts.thawte.com udp
US 104.18.10.39:80 cacerts.thawte.com tcp
US 8.8.8.8:53 scentedlair.com udp
US 185.230.63.107:443 scentedlair.com tcp
US 185.230.63.107:443 scentedlair.com tcp
US 8.8.8.8:53 atma.nl udp
NL 109.237.212.70:443 atma.nl tcp
US 8.8.8.8:53 ronielyn.com udp
US 8.8.8.8:53 marcandy.com udp
US 3.138.251.142:443 marcandy.com tcp
US 3.140.179.210:443 marcandy.com tcp
US 52.14.173.103:443 marcandy.com tcp
US 8.8.8.8:53 bagaholics.in udp
CA 23.227.38.32:443 bagaholics.in tcp
CA 23.227.38.32:443 bagaholics.in tcp
US 8.8.8.8:53 xtensifi.com udp
US 192.0.78.186:443 xtensifi.com tcp
US 192.0.78.186:443 xtensifi.com tcp
US 8.8.8.8:53 elitkeramika-shop.com.ua udp
UA 185.104.45.72:443 elitkeramika-shop.com.ua tcp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 leansupremegarcinia.net udp
US 8.8.8.8:53 rvside.com udp
BG 194.1.147.19:443 rvside.com tcp
BG 194.1.147.19:443 rvside.com tcp
US 8.8.8.8:53 tradenavigator.ch udp
CH 149.126.4.16:443 tradenavigator.ch tcp
CH 149.126.4.16:443 tradenavigator.ch tcp
US 8.8.8.8:53 smartspeak.com udp
AU 35.201.0.0:443 smartspeak.com tcp
US 8.8.8.8:53 die-immo-agentur.de udp
FR 85.25.222.75:443 die-immo-agentur.de tcp
US 8.8.8.8:53 shortsalemap.com udp
US 192.249.114.80:443 shortsalemap.com tcp
US 192.249.114.80:443 shortsalemap.com tcp
US 8.8.8.8:53 chorusconsulting.net udp
US 45.79.78.100:443 chorusconsulting.net tcp
US 8.8.8.8:53 log-barn.co.uk udp
GB 149.255.60.174:443 log-barn.co.uk tcp
GB 149.255.60.174:443 log-barn.co.uk tcp
US 8.8.8.8:53 adterium.com udp
US 70.32.23.61:443 adterium.com tcp
US 70.32.23.61:443 adterium.com tcp
US 8.8.8.8:53 yvesdoin-aquarelles.fr udp
FR 87.98.154.146:443 yvesdoin-aquarelles.fr tcp
US 8.8.8.8:53 triavlete.com udp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 tzn.nu udp
NL 37.128.144.87:443 tzn.nu tcp
US 8.8.8.8:53 werkzeugtrolley.net udp
DE 212.172.54.148:443 werkzeugtrolley.net tcp
US 8.8.8.8:53 topautoinsurers.net udp
US 208.91.197.13:443 topautoinsurers.net tcp
US 8.8.8.8:53 alattekniksipil.com udp
ID 103.146.63.78:443 alattekniksipil.com tcp
ID 103.146.63.78:443 alattekniksipil.com tcp
US 8.8.8.8:53 ninjaki.com udp
US 199.102.46.200:443 ninjaki.com tcp
US 199.102.46.200:443 ninjaki.com tcp
US 8.8.8.8:53 jameswilliamspainting.com udp
US 8.8.8.8:53 innersurrection.com udp
US 209.59.190.118:443 innersurrection.com tcp
US 209.59.190.118:443 innersurrection.com tcp
US 8.8.8.8:53 lgiwines.com udp
CA 192.99.13.111:443 lgiwines.com tcp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.167:443 silkeight.com tcp
RO 188.213.19.167:443 silkeight.com tcp
US 8.8.8.8:53 domaine-des-pothiers.com udp
FR 213.186.33.19:443 domaine-des-pothiers.com tcp
US 8.8.8.8:53 galatee-couture.com udp
FR 109.234.167.98:443 galatee-couture.com tcp
FR 109.234.167.98:443 galatee-couture.com tcp
US 8.8.8.8:53 stage-infirmier.fr udp
FR 46.105.39.239:443 stage-infirmier.fr tcp
US 8.8.8.8:53 electricianul.com udp
RO 91.216.156.120:443 electricianul.com tcp
RO 91.216.156.120:443 electricianul.com tcp
US 8.8.8.8:53 avis.mantova.it udp
FR 195.154.173.50:443 avis.mantova.it tcp
FR 195.154.173.50:443 avis.mantova.it tcp
US 8.8.8.8:53 cascinarosa33.it udp
FR 217.70.186.111:443 cascinarosa33.it tcp
US 8.8.8.8:53 donau-guides.eu udp
US 104.21.27.118:443 donau-guides.eu tcp
US 8.8.8.8:53 donauguides.com udp
US 104.21.90.5:443 donauguides.com tcp
US 8.8.8.8:53 allinonecampaign.com udp
US 66.7.218.146:443 allinonecampaign.com tcp
US 66.7.218.146:443 allinonecampaign.com tcp

Files

memory/1516-54-0x0000000075471000-0x0000000075473000-memory.dmp

memory/1792-55-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

memory/1792-56-0x000007FEF26E0000-0x000007FEF323D000-memory.dmp

memory/1792-58-0x00000000029A2000-0x00000000029A4000-memory.dmp

memory/1792-57-0x00000000029A0000-0x00000000029A2000-memory.dmp

memory/1792-59-0x00000000029A4000-0x00000000029A7000-memory.dmp

memory/1792-60-0x00000000029AB000-0x00000000029CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:26

Reported

2022-01-24 06:59

Platform

win10-en-20211208

Max time kernel

161s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\HideTrace.tif => \??\c:\users\admin\pictures\HideTrace.tif.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\RequestEnable.tif => \??\c:\users\admin\pictures\RequestEnable.tif.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\users\admin\pictures\AssertStop.tiff C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\users\admin\pictures\CompareAdd.tiff C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\CompareAdd.tiff => \??\c:\users\admin\pictures\CompareAdd.tiff.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\AddResolve.crw => \??\c:\users\admin\pictures\AddResolve.crw.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\AssertStop.tiff => \??\c:\users\admin\pictures\AssertStop.tiff.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteConvertFrom.raw => \??\c:\users\admin\pictures\CompleteConvertFrom.raw.83244k9s C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlsh603ajc7ct.bmp" C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ApproveWrite.html C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\CompleteAdd.wmv C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ProtectResolve.dot C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ProtectUse.M2TS C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RevokeExpand.scf C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\TraceOut.wax C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ApproveRedo.odp C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ConfirmEdit.htm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DisableSkip.js C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DisconnectUninstall.xltx C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ProtectGrant.wpl C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\WritePing.wav C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\UnpublishJoin.gif C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\PopMove.dib C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ReadCopy.wdp C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RequestProtect.htm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\StepAdd.htm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\UnpublishStop.html C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\WriteRequest.fon C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files\83244k9s-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\InvokeGroup.DVR C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\NewOptimize.emz C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ResolveResize.eprtx C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File created \??\c:\program files (x86)\83244k9s-readme.txt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\OpenCopy.m1v C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\ProtectSearch.wm C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RestartMount.emf C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DisconnectCompare.xml C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\DisconnectNew.mhtml C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\RemoveSuspend.odt C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
File opened for modification \??\c:\program files\UseNew.3gp C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe

"C:\Users\Admin\AppData\Local\Temp\a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 silverbird.dk udp
US 8.8.8.8:53 betterce.com udp
US 34.200.75.129:443 betterce.com tcp
US 8.8.8.8:53 www.betterce.com udp
US 34.200.75.129:443 www.betterce.com tcp
US 8.8.8.8:53 vapiano.fr udp
US 162.159.135.42:443 vapiano.fr tcp
US 8.8.8.8:53 penumbuhrambutkeiskei.com udp
US 8.8.8.8:53 alcye.com udp
US 8.8.8.8:53 wasnederland.nl udp
US 8.8.8.8:53 sealgrinderpt.com udp
US 104.21.94.184:443 sealgrinderpt.com tcp
US 8.8.8.8:53 janmorgenstern.com udp
DE 217.160.0.205:443 janmorgenstern.com tcp
US 8.8.8.8:53 alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 www.alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 www.alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 line-x.co.uk udp
US 172.67.145.210:443 line-x.co.uk tcp
US 8.8.8.8:53 littlesaints.academy udp
US 151.101.66.159:443 littlesaints.academy tcp
US 8.8.8.8:53 motocrosshideout.com udp
US 198.46.90.29:443 motocrosshideout.com tcp
US 8.8.8.8:53 flossmoordental.com udp
US 173.255.198.240:443 flossmoordental.com tcp
US 8.8.8.8:53 stralsund-ansichten.de udp
DE 91.210.225.22:443 stralsund-ansichten.de tcp
US 8.8.8.8:53 www.stralsund-ansichten.de udp
DE 91.210.225.22:443 www.stralsund-ansichten.de tcp
US 8.8.8.8:53 efficiencyconsulting.es udp
ES 91.146.100.126:443 efficiencyconsulting.es tcp
US 8.8.8.8:53 welovecustomers.fr udp
FR 51.15.236.35:443 welovecustomers.fr tcp
US 8.8.8.8:53 www.welovecustomers.fr udp
NL 65.9.82.97:443 www.welovecustomers.fr tcp
US 8.8.8.8:53 buerocenter-butzbach-werbemittel.de udp
US 8.8.8.8:53 clinic-beethovenstrasse-ag.ch udp
DE 157.90.88.146:443 clinic-beethovenstrasse-ag.ch tcp
US 8.8.8.8:53 90nguyentuan.com udp
US 8.8.8.8:53 martinipstudios.com udp
NL 37.48.118.150:443 martinipstudios.com tcp
US 8.8.8.8:53 bonitabeachassociation.com udp
US 8.8.8.8:53 luvinsburger.fr udp
FR 188.165.53.185:443 luvinsburger.fr tcp
FR 188.165.53.185:443 luvinsburger.fr tcp
US 8.8.8.8:53 jollity.hu udp
HU 185.33.54.20:443 jollity.hu tcp
US 8.8.8.8:53 hvitfeldt.dk udp
DK 195.242.130.99:443 hvitfeldt.dk tcp
US 8.8.8.8:53 jacquesgarcianoto.com udp
US 8.8.8.8:53 husetsanitas.dk udp
DK 77.111.240.107:443 husetsanitas.dk tcp
US 8.8.8.8:53 drnelsonpediatrics.com udp
US 50.116.53.94:443 drnelsonpediatrics.com tcp
US 8.8.8.8:53 cmeow.com udp
CA 165.227.40.200:443 cmeow.com tcp

Files

memory/976-123-0x000001FA1A2F0000-0x000001FA1A312000-memory.dmp

memory/976-128-0x000001FA7EBA0000-0x000001FA7EBA2000-memory.dmp

memory/976-129-0x000001FA7EBA3000-0x000001FA7EBA5000-memory.dmp

memory/976-130-0x000001FA1A3A0000-0x000001FA1A416000-memory.dmp